I.e.
<search1>: ... | table id, f1, f2, f3
<search2>: ... | table id, f1, f2
I need to find all records in <search1> that are not equal to any record in <search2>
If I do something like
<search1> | search NOT [<search2>]
Splunk will not consider record, let's say <record1>: id=someID, f1=1, f2=2, f3=3 in <search1> different from record <record2>: id=someID, f1=1, f2=2 from <search2> , because field f3 will not be presented in the boolean expression generated by the subsearch. So it will not pass <record1> to final recordset, but I need it there.
So what is the best approach there?
... View more